Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Traefik and self signed SSL certs
Running Wekan Mongodb with Traefik as a reverse proxy with a self-signed cert as containers on a single docker host.
Craig had been using nginx as a reverse proxy for a restyaboard install, but it was a bit opaque (at least to him) as to how to configure it to reverse proxy for multiple services, so he thought he'd try traefik and use Wekan as the service as a learning exercise and compare the two.
This was done to demo using containers as services (he works in an older style org and they're still stuck in a vmware/vm mentality).
Updated 5-10-18 for wekan v1.52 and mongodb 3.2.21
Note: my login is a member of the docker group on this docker host so I can exec docker commands.
sudo mkdir -p /opt/traefik/certs sudo chmod 755 /opt/traefik sudo chmod 750 /opt/traefik/certs
Created a self-signed cert and key for the application (its on an internal network so didn't want to mess with the Letsencrypt stuff that requires access to the internet and registered dns domains):
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout wekan1.key -out wekan1.crt
Copied these to /opt/traefik/certs and set permissions:
chmod 644 /opt/traefik/certs/wekan1.crt chmod 600 /opt/traefik/certs/wekan1.key
Create a docker network web to use for traefik - this config doesn't require any ports exposed for wekan-app or wekan-db on the docker-host:
docker network create web
Created an internal dns entry wekan.myinternaldomain.org that is a cname for the docker host (i.e. Wekan resolves to the ip address of the docker host) - note that this config assumes that ports 80 and 443 don't have any processes from the docker host listening on those ports. If you don't have internal dns - put this in the relevant hosts file on the systems that will access the app, including the docker host.
added the following to
version: '2' services: traefik: image: traefik:latest ports: - 80:80 - 443:443 - 8080:8080 networks: - web volumes: - /var/run/docker.sock:/var/run/docker.sock - /opt/traefik/traefik.toml:/traefik.toml - /opt/traefik/certs/:/certs/ container_name: traefik networks: web: external: true
debug = false logLevel = "DEBUG" defaultEntryPoints = ["https","http"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] certFile = "/certs/wekan1.crt" keyFile = "/certs/wekan1.key" [entryPoints.eightzero] address = ":8080" [api] entrypoint = "eightzero" [retry] [docker] endpoint = "unix:///var/run/docker.sock" domain = "docker.localhost" watch = true exposedbydefault = false
The image is set as the latest for traefik - you may want to tie it to a particular version. Also added in the entrypoint for the trafik api (8080)
cd /opt/traefik docker-compose up
This will ouput to the terminal till you are ready to run it in the background with
docker-compose up -d . (stop the container running with Ctrl-c)
It exposes ports 80, 443 and 8080 on the docker host so you can check by webbing to
<docker hostip> but you should get a 404 error until wekan is up.
curl -H Host:wekan.myinternaldomain.org http://localhost
/var/run/docker.sock:/var/run/docker.sock on the container gives access to docker config so that traefik can be dynamic (thats more advanced) see https://traefik.io/ for extensive docs.
traefik.toml is the config for traefik. It sets up port 80 to redirect to 443. This is a very simple config - there's a whole lot more that you can do.
[docker] is where changes are read from.
- domain - default dns domain used.
- watch = true - watch docker changes.
- exposedbydefault = false - If set to false, containers that don't have
traefik.enable=truewill be ignored. (I haven't tried it with other containers yet so I've set it to false).
Now for Wekan:
This fairly standard with the addition of some labels(handy notes have been removed for brevity)
version: '2' services: wekandb: image: mongo:3.2.21 container_name: wekan-db restart: always command: mongod --smallfiles --oplogSize 128 networks: - web expose: - 27017 volumes: - wekan-db:/data/db - wekan-db-dump:/dump wekan: image: quay.io/wekan/wekan:v1.52 container_name: wekan-app restart: always networks: - web # traefik magic stuff here labels: - "traefik.backend=wekan-app" - "traefik.docker.network=web" - "traefik.frontend.rule=Host:wekan.myinternaldomain.org" - "traefik.enable=true" - "traefik.port=8080" - "traefik.default.protocol=http" #note: mail url points to ip address of docker host which has postfix running as a relay # for docker apps. ping me at email: firstname.lastname@example.org if you want the postfix config. # note here that an ip address is used instead of the servce name in the MONGO_URL - # this is a bug that I have to work out. To identify the IP address use docker network # inspect web when the wekandb is running environment: - MONGO_URL=mongodb://172.xx.xx.2:27017/wekan - ROOT_URL=http://wekan.myinternaldomain.org - MAIL_URL=smtp://172.17.0.1:25/ - MAIL_FROM='Wekan Support - <email@example.com>' # newer environment variables: - BROWSER_POLICY_ENABLED=true - TRUSTED_URL='' - WEBHOOKS_ATTRIBUTES='' depends_on: - wekandb volumes: wekan-db: driver: local wekan-db-dump: driver: local networks: web: external: true
One this is done - run wekan with:
This will run with logging output to the console - once its running ok - CTRL-C and start it up again with:
docker-compose up -d